Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, 22 June 2023, 7:54 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Apple Issues Urgent Patches for 0days

Apple has issued urgent patches for two vulnerabilities in the iOS and iPadOS mobile device operating systems, in response to claims the vulnerabilities are being exploited in the wild.

The vulnerabilities are

  • CVE-2023-32434: Integer overflow in the kernel due to inadequate input violation
  • CVE-2023-32439: Type confusion in Webkit

The vulnerabilities were used by an implant, discovered by Kaspersky Researchers and claimed to be part of a campaign which they have named Operation Triangulation. CVE-2-23-32434 is used during initial exploitation, in order to gain root privileges before deploying the implant in memory - as a result, the implant cannot survive a reboot, and the attackers have to install it again by sending an iMessage with a malicious attachment. If the device is not rebooted, the implant normally removes itself after 30 days, although this can be extended.

Once running, the implant communicates with its C2 server via a RESTful HTTPS API, implemented with the Protobuf library. All traffic takes the form of key-value pairs, encrypted with either 3DES or RSA. The implant sends heartbeat messages, while the C2 server sends any of 24 commands for

  • Interacting with the filesystem (creation, modification, exfiltration and removal of files)
  • Interacting with processes (listing and terminating them)
  • Dumping the victim’s keychain items, which can be useful for harvesting victim credentials
  • Monitoring the victim’s geolocation
  • Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory

The implant is written in Objective-C, which leaves some debugging information, such as the names of class members and methods, in the generated binary. Curiously, many of the resources accessed and operations performed by the implant are given database-related names - for example, a directory is referred to as a table, while a file is called a record, and the C2 server is a DB server - which led the Kaspersky researchers to name the implant TriangleDB.

Kucherin, Georgy, Leonid Bezvershenko and Igor Kuznetsov, Dissecting TriangleDB, a Triangulation spyware implant, blog post, 21 June 2023. Available online at https://securelist.com/triangledb-triangulation-implant/110050/.

Useful Ransomware Educational Resources

With ransomware being seen by the business community as one of the biggest, if not the biggest, current security threat, it is important to keep ourselves and our business principals well-informed about its evolution. A couple of useful resources have appeared in the last couple of days to assist with this.

First, Sophos has started to release a three-part documentary series entitled "Think You Know Ransomware?", compiled from over 100 hours of interviews with cybercriminals, security experts, industry analysts and policy makers. The first episode, "Origins of Cybercrime" is now available, with episodes 2 and 3 due for release over the next two weeks.

Meanwhile, at the Infosecurity Europe conference, Richard de la Torre, marketing manager at Bitdefender, gave a talk on the myths and misconceptions which surround ransomware. In his talk he describes how proactive defenders are making use of threat intelligence to prevent or disrupt attacks, as well as increasingly using decryptors to recover data. However, as de la Torre points out, ransomware operators are now putting much more effort into information exfiltration, taking time to stealthily move throughout the victim's networks, identifying the most valuable datasets as well as discovering whether they have cyber insurance.

Sophos, Think You Know Ransomware?, documentary series, June 2023. Available online at https://www.sophos.com/en-us/content/ransomware-documentary.

Raywood, Dan, Ransomware Misconceptions Abound, To the Benefit of Attackers, Dark Reading, 22 June 2023. Available online at https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: